Just logged into CVS and they prompted me to enroll a passkey. Super easy. 3 steps and I'm done. (For this browser, on this laptop — sync is the next hurdle.) #passwordless#authentication#passkey
New Gmail rules enforced starting in February should reduce spam, make it easier to unsubscribe from bulk senders, and close email security loopholes exploited by cybercriminals.
Apps that will only present the #2FA challenge upon a successful password #authentication — isn’t there a very good point in always providing both, as to not give any hints on whether the first factor credentials were correct or not?
We really need to do away with this type of authentication.
The tests are often ambiguous. More importantly, they don’t meet accessibility requirements noted in WCAG 2.2. Specifically section 3.3.8 on “cognitive function tests”:
have #privacy about health info (think genetic disorders)
be anonymous in terms of DNA-person match (which means ethically working researchers can not include their data in studies, e.g. GWAS etc.)
Sensitive data matters. Biodata is one of the most sensitive types of data you can think of. My advice: Don't use it as a first auth factor. And definitely not as a sole key for crypto.
“Microsoft’s Offensive Research and Security Engineering (MORSE) asked us to evaluate the security of the top three #fingerprint sensors embedded in laptops and used for #Windows Hello fingerprint #authentication. Our #research revealed multiple #vulnerabilities that our team successfully exploited, allowing us to completely bypass Windows Hello authentication on all three laptops.”
Usually I polish my work a bit more before releasing it publicly, but I really wanted to give people interested in making fediverse apps for everyone a bit of a head start.
Here's a very work-in-progress authentication server I use for my fediverse connections data visualization project:
Thinking about getting myself a #Yubikey, but I'm a little worried if newer technologies like #passkeys and #fido2 or whatever may be better? I honestly don't know much about the world of hardware keys for #authentication and #security stuff
I received another email from #StandardBank, advising me to stop using a password to log into Internet Banking, and switch to scanning a QR code from within the Mobile App. No, Standard Bank, I'm not going to do that. Because it's stupid, and here's why:
The whole reason for me to visit Internet Banking on my computer is because I do not WANT to log into the banking app on my phone. But in order for me to use Internet Banking on my computer, they want me to open the app on my phone, log in, then navigate to the menu item for QR code scanning, and then scan the code I see on my PC monitor. At which point, I may as well use the mobile app. Which I didn't want.
Why can't they just use one of the many many Authenticator apps, like a normal company? I'd be more than happy to open my authenticator app, find Standard Bank, and punch the code in. It's good enough for Google, Microsoft, Github....
My PhD thesis on the usability, security, and privacy of Risk-Based Authentication (RBA) is now published. For free, for everyone, as I believe that publicly funded research should be open to the public.
On 239 pages, you will learn how to strengthen password-based authentication with RBA while being privacy-enhanced and accepted by users.
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Newbie question: what is best #mfa#authentication method for #offline networks? I am playing around with a lab environment where I want good mfa inside but don’t want it to connect to the internet. My current point of view is: I can not place #Fido there since it „needs“ internet in many ways.. right? . My current way of thinking is i build a PKI into this network and use it with #yubikey acting as a Smartcard but not #u2f or #fido2 . Am I wrong ? Is there better options?
Question about implementation of #Passkeys. As I understand it, having a user login with passkey but without UV (User Verification) is not necessarily MFA as it could just be a stolen security key (Something you have).
How is (or should) #MFA with Passkeys implemented in practice? By setting UV as "required"? Or by setting UV as "preferred" and then based on the user response prompt for another factor (eg. #TOTP) in case there was no UV? I am a bit confused about how to fit Passkeys into the current #authentication logic.
I recently found: AAD Auth from Canonical/Ubuntu for native AzureAD auth for Ubutnu systems. For the past bit we've mostly been Windows/macOS, and never really entertained linux for business use - mostly because we've never had the tooling for it. We exclusively use Azure AD (no on-prem AD), so in the past when looking the...
I'm about to move a few parts of my network off-site. Anyone have any input for getting LDAP-based authentication to work across locations?
Like, LDAP+TLS with mutual certificate authentication is just fine, but I don't like the idea of exposing an LDAP port. Though a firewall rule to only allow the other side's IP to access it would probably be okay.
Given that this side still needs to access some internal services, it also makes sense just to #WireGuard it or something, that gives me everything in a manner that I believe is secure, I've yet to hear of any breaks on its encryption... just that if the remote host is compromised I have quite a wide open attack surface.
Some of the WCAG 2.2 guidelines around authentication are interesting when it comes to user experience for logging in, reinforcing the need to allow users to copy and paste passwords and use their password manager extension, among other things.
You can check Accessible Authentication (Minimum) (Level AA) for more details: https://www.w3.org/WAI/WCAG22/Understanding/accessible-authentication-minimum.html#examples
I wonder if there will be conflicts with security teams, though, what do you think? #Authentication#Accessibility
Happy to annouce that I successfully defended my doctoral thesis "Usability, Security, and Privacy of Risk-Based Authentication" at Ruhr University Bochum.
It started in 2017 with a study on RBA use on popular websites. Never thought that this would end in 7 publications, >125 citations, public recognition by people I'm a big fan of, a DAAD RISE Germany scholarship, an internship at Meta, and the Open Data Impact Award 2022.
Google is making it harder for bulk senders to fill your Gmail with spam (www.theverge.com)
New Gmail rules enforced starting in February should reduce spam, make it easier to unsubscribe from bulk senders, and close email security loopholes exploited by cybercriminals.
Is there any notion of unique identification in the fediverse?
I mean between tools, no instances....
Ubuntu Azure AD Authentication
I recently found: AAD Auth from Canonical/Ubuntu for native AzureAD auth for Ubutnu systems. For the past bit we've mostly been Windows/macOS, and never really entertained linux for business use - mostly because we've never had the tooling for it. We exclusively use Azure AD (no on-prem AD), so in the past when looking the...